It has been a long fun road working as a contributor to CSO Online. Unfortunately tomorrow will be my last official day with this publication. I have had a great time writing here over the last 4 years. I count myself lucky to have had the chance to work with folks like Joan Goodchild, Steve Ragan and many others.

This has been a fantastic opportunity. I’ve learned many lessons along the way. I was given the chance to operate without a net. As a result I learned some things the hard way. I remember once, I took a tip from a friend and ran with it. Only to discover to my chagrin that the information wasn’t even remotely correct. That was a painful one but, a valuable lesson.

WannaCry ransomware is yet another wake up call and not a sales opportunity. Let’s dispel with the hyperbole and bull. Let’s stop pointing fingers. Let’s get down to the meat of the matter and have a good long look at what we have learned or at least should learn from the events of the weekend.

First off, what is the potential scope of the problem? Reports have stated in some cases that 200,000 systems have been infected with the ransomware. A cursory glance at the site Shodan.io shows well over a million systems with port 445 exposed to the Internet. Of course this is no guarantee that this was in fact SMB but, odds on favorite that it was a number greater than zero.

As I dragged myself out of bed the first morning it was hard to wrap my head around the fact that I was in another city for another conference. I’m not complaining, more so I wasn’t sure where I was for the first few minutes.

Soon after I remembered that I was in Amsterdam I wandered out into the light of the daystar. I was off in search of waffles and coffee before making my way over to the venerable Grand Krasnapolsky hotel for day one of the sessions at the 2017 iteration of the HITB Amsterdam conference.

The first talk that I took in was one that tackled mainframe related security. The talk by Ayoub Elaassal called, “Breaking the fourth wall: Hacking Customer Information Control Systems” caught my attention. After having spent almost a decade in the power systems space I could not miss this presentation. I was not disappointed. I recall early on in my career a venerable grey beard looked me dead in the eye and said, “Never type $! on a mainframe.” This advice stuck with me ever since.

Let’s be honest with ourselves. Who amongst us actually, no really, actually enjoys patching systems? There are outliers to be certain but, by and large there are not many among us who enjoy it. That in and of itself is a problem as this is a fundamental problem. We are collectively missing out on doing foundational elements correctly.

Whether it is patch management, asset management or even something as simple as logging we are often too quick to take the easy way out. As part of something I’ve been working on I have been reviewing the publicly available disclosure notices. What really is striking is the number of times a system was compromised due a missing patch or misconfiguration.

So, my less than favorite topic found itself at the top of my reading list today. Wikileaks released a treasure trove of documents today that purport to outline all manner of CIA related operations.

After I got passed the “what the actual…” moment, I had to pause. On social media and various news outlets there was talk of the CIA’s ability to compromise various encrypted communications. Hold that thought. We’ll come back to it.

The news that I’m seeing is outlining all sorts of commentary about how the CIA can compromise devices and computers right down to TV sets. This may come as a shock to people but, spy agencies…well, they spy. This is their raison d’être. Whinging about there capabilities is absurd in no under certain terms.

Decades ago privacy really wasn’t that much of an ongoing issue. In the days of agrarian society everyone seemed to know about everyone else’s business and personal lives. As we moved forward into an era of denser population centers due to the advent of of the industrial revolution suddenly, we collectively found a greater yearning for privacy.

In this current day and age we find ourselves slipping back to the agrarian mindset in some ways. Governments the world over are moving to strip privacy from their citizens under the guise of security. One was the battle cry was to protect the children which has given way, in most respects, to the fight against terrorism. That logic has the appearance of being sound for people who are afraid will be less likely to argue.

This year at the RSA Security Conference some 40,000 people packed the halls of the Moscone center in search of solutions (and light up swords) to solve their problems. Whatever the issue, they were looking for a salve to sooth their wounds in a manner of speaking.

For all of the vendors hawking their wares there was one things that no one seemed interested in talking about, process. Specifically defined repeatable processes. A friend once said to me, “Dave, the 90’s called and they want their phrase back.” But, they can’t have it. We need that now more than ever. Security professionals seem to be endlessly fixated on tools and blinky things.

As the philosopher George Santayana famously said, “Those who do not remember the past are condemned to repeat it.” So why then do we continue to seek out technological answers and leave processes to fall by the wayside? Why do people buy solutions that aren’t going to fix things? A great example of this is why do people try to buy appliances to fight distributed denial of service attacks? Applicances just don't scale. It causes me no end of confusion.

In the course of my conversations with people this week, a lot of the issues that came up were ones that could be mapped back to process related discussions. I talked about privileged access control in my article yesterday as one instance. This person that I was talking to wanted to buy a solution to fix their management problem. I asked them what kind of process they had defined for dealing with adding and removing staff. I was met with a blank stare.

I have no doubt that there are solutions for issue such as this. Some of them may well be excellent but, that is a moot point if there is no process defined. If you go out to dinner at a restaurant the process breaks down if you don’t know what you have to have for dinner. If you look at the wait staff and say “surprise me” you may not be happy with the end result.

People generally don’t care too much for building processes. Much like log review, people like to talk about it but, few ever actually do it. But, these are fundamental security components that need to be practiced at length and updated regularly.

One of my favorite stories that I like to rehash is one about a policy document that I encountered at a previous employer. The document was 10 years since a review and when read was borderline incomprehensible. Upon further digging it was discovered that this was a copy and paste from a swimming certification. Yes, you read that correctly. Until I came along no one had either read it, or took the time to dig into it. Some nitwit had created that as a document to satisfy a compliance requirement.

This is a problem that I’ve run into several times over the last couple decades. If you don’t have solid processes, guidelines, standards and policies you find that you are building on a foundation of tapioca and sand. It might look good to some but, has no value.

Once you can define your requirements and have your processes built then go talk to your vendors to find solutions.

Privileged accounts are a necessary evil for a lot of organizations. These accounts allow for users to be able to do work that, in some cases, lead to unfortunate results if misused. But, how many organizations do a good job at tracking and controlling these accounts?

One thing that presented itself during the conversations this week has been around the subject of privilege access control, specifically dealing with privileged accounts. I had to check the calendar at this point to make sure I had not inadvertently slipped into a vortex that threw me back to the late 90s. Am I being inordinately flippant? Only partially to be fair.

Over the years I have had occasion to manage large numbers of servers. I remember all too many times sitting cross legged on the floor in the bone chilling cold of the data center at my old job. I would sit there thinking fondly of the cup of coffee I had to abandon at the mantrap before walking out on to the floor. It was either sitting in the data center or being huddled shoulder to shoulder with co-workers in a room where a Cybex was hooked up for remote access.

Every year San Francisco plays host to a massive show in the guise of the RSA Security Conference. The city becomes awash in a sea of interlopers wandering about the streets adjacent to the Moscone Center with their name badges dangling around their necks. The motivations for attendees run the gamut from A to Z and all points in between.

For me this is an opportunity to connect with customers and friends. It allows me the chance to talk with a lot of people. In the course of my conversations with people I asked them what they thought the overarching theme of the conference has been. In most years I would receive a response that was by and large uniform. This year, I was surprised to hear no uniform answer. Each person I spoke to had a different take away. I was firmly convinced that Internet of Things would be the main one but, I guess that was only my perspective.

Today news broke of a particularly nasty zero day vulnerability in the Wordpress REST API. The vulnerability in this case would allow for content injection as well as privilege escalation. This vulnerability would an unauthenticated interloper to modified basically any content that they would see fit. Posts, pages, all fair game. This is anything but a small issue and from what I’ve read thus far, trivial to exploit by an attacker. The issue in this case was discovered by a security researcher at Sucuri.

For the uninitiated, Wordpress is an open source CMS platform that was first introduced to the world in May 2003. Matt Mullenweg wrote Wordpress and released it 13 years ago and now it can be found installed on at least 18 million sites according to analytics site, BuiltWith. The audience measurement company Quantcast, estimates almost 26% of the top 10,000 websites are running Wordpress. Based on the most recent data on BuiltWith only 93,981 websites were running version 4.7 or better.

Many years ago, in simpler times, I was responsible for the security program that included the controls which protected (in theory) against malicious files and programs that were hell bent on causing mischief. We had agents on our servers for virus protection, asset inventory, host intrusion detection, host firewalls an so on. Now, keep in mind that this was before ransomware was even a thing on any sort of scale. Each agent wanted a slice of memory. After a while, the number of slices simply were in such short supply that servers were running into resource constraints.

I have to admit that it was always amazing to me that I could not purchase a unified agent. It just wasn’t an option. Worst still was that they I could not even obtain a single dashboard to manage all of the products for at least one particular vendor. Eh hem.

As every year I find myself working through the list of upcoming conferences around the world. One thing that I’ve always been pleased about is the rich variety that is available right across Canada throughout the year.

I’m going to apologize in advance to the conferences that I leave out of this list. There is no ill will meant for any and I will revisit them in the future. For the purpose of this article I will address 5 Canadian security conferences that will be held in 2017 that you really should check out. This list is presented as a stream of consciousness as opposed to having any rhyme or reason.

First and foremost is the Northsec conference that will be held in Montreal, Quebec from the 16th until the 21st this May. I was very fortunate to give a talk at this conference almost two years ago now. The audience is very receptive and the venue is quiet nice. It is located in the old part of Montreal which is a selling point for me in its own right. The conference has a well regarded Capture The Flag (CTF) competition. This isn’t a small contest. They have 400 competitors on 50 teams.

The holiday season is a time to spin down and relax for many people. Where we hang up our spurs, or rather, we tuck the carry-on suitcase into a corner at least five feet away from the door. But, as with every holiday season we see the packet Grinch crawl out of his cave. Destined to muck everything up for the rest of us when we try to find some manner of respite as we sit by the video of a log burning on the fire.

It has been literally years since I was in a role that required me to be available in a 24/7 on call capacity. Still I find that even over the holidays, I keep my phone/tablet/laptop/batarang close by. Old habits die hard I guess. How does your enterprise keep the lights on when the holidays roll through? I don’t expect you to answer me but, can you answer that yourself? Do you have coverage? Do you have an escalation tree on who needs to be called in the event that the Grinch and his army of digital henchmen come down the corporate chimney?

At a company that I worked at years ago I had a large build up of vacation time. This was time that I needed to use by the end of the calendar year or “poof” to was gone. So, with three weeks left and three weeks of vacation in the bank I announced I was taking the rest of the year off. This was mostly in jest but, to my surprise, my boss said, “sure, see you next year.”

Rather than belabour the issue I packed up my things an hour later and wandered out into the snowy evening. We had a well defined escalation plan and we had help desk that knew who they had to call in the event of an incident. It was a surreal feeling for me to have three weeks vacation. My wife even said, “since you have the time off you can grow a beard.” While the facial hair grew the attackers tried their hand at defeat the controls that were in place. Their attempts, thankfully, felt flat time and again. At no point during my vacation did my phone ring with a sev 1 incident.

I was never far away from a device that I could use to check my email then. Even now I can’t help but to keep an eye on things. But, knowing that there are defined repeatable processes in place that have been tested and rehearsed is a great comfort.

This year, I hope that you can relax and enjoy the crackle of the fire on your TV knowing that your defences will stand up to attackers who will try to steal some of your holiday joy.

Last month I shared some stories about events that I’ve had to contend with over the last 20 years. One incident that I recall was a particular individual who thought that only scanning up to port 1023 was the only proper way to check for security issues on a network. I still shake my head that this person had a job.

When I wrote about this incident before I was asked, whatever happened to this person? Well, to this day they are still gainfully employed much to the amazement of many.

Now, I’m not one to throw stones at people who don’t know something in the course of their career. Laughing and pointing because someone might not know SED or AWK as an example. To do so is puerile and counterproductive. That shifts however when I take into account that some people have no interest in changing. Those are the people that I reserve my disdain for. If your knowledge base expired 15 years ago and you exhibit no interest in keeping current then I find no reason to pull punches.

After years in the information security space there are few things that get me misty eyed like a massive data center. In part because it gives me a chance to reminisce about the good old days. Hundreds of hours sitting cross legged on the floor shivering while tapped away on my keyboard trying to deploy or recover a system. Ah, good times.

But, as with all things, change is inevitable. One example of this is that it has become abundantly clear that castles simply do not scale. What I mean by this is that the old way of having all of your servers and appliances in a dedicated data center has to change. We all had a good giggle when Microsoft had their advertising campaign a few years ago with the battle cry “To the cloud!” While this was amusing, it was spot on.

There are few things that make for as amusing reading as an acceptable use policy. In some organizations that I’ve been through, it was clear that no one had ever read their unicorn-esque like policy document. Some of the components were clearly not something that could be implemented.

I have been met with the phrase “but, we have a policy” a few times. I said, “Great, can you show me who has read it?” After a long pause they said, “Well they are required to have read it."

This is why I used to chew on Advils like they were candy. Logic flows were broken in many places along the way. In one such organization there was a need to send out emails with important information for the entire organization on a fairly consistent basis. The assumption that was made from high atop Mount Olympus was that people were inherently good and would never dream of causing the company undue harm.

Years ago I was working on a project that had a rather interesting premise. It was a way to send a file between two parties that was stamped as verified by a third party intermediary. Pretty basic stuff but, in the 90s it was rather neat. One of the things that I discovered was that I could issue junk commands to the application simply by launching a telnet client and connecting to the “encrypted” listening port.

Yeah, that was how the developers described it. I smiled. I was able to get the application to answer various queries that, by the documentation, should have only been possible using the client application that was purpose built for said task. The client and server were supposed to have some manner of key exchange but, it did not work as advertised.

Over the years there has been one love hate relationship that I could never truly get away from entirely. That was logging on systems and anything else that had something to say. I got so silly that at one point when I was doing work for a DoD customer I had a monitor on my desk that was simply tailing the perimeter router logs. I had gone full matrix and no, I never once thought I was Neo.

One company that I did work for in the past had a syslog server that was purported to be collecting logs from production systems. This was an environment where there was so much work to do that I relegated the syslog system to the back burner. I didn’t like logging systems. I didn’t want to have anything to do with them. I knew in my heart of hearts that this was a necessary aspect of the job but, it ranked right up there with a home lobotomy kit.

Years ago I worked for a company that had some manner of connection to the goings on for the power grid. *cough*

It was a job that afforded me all sorts of different projects as security had previously been more of an afterthought that anything else of note. Intrusion detection systems that were racked and powered but, couldn’t catch a cold. A firewall that my mother could tunnel through and so forth. But, rather than whinge about it (to anyone other than my therapist) it was a great opportunity.

I had some great experiences working there and a few moments that caused me to question the fabric of reality as I perceived it. One such day my co-worker, let’s call him James, and I were wandering towards the door. It was the end of the day and we were clocking out. Or, so we thought.

Over the last couple of decades I have had all sort of different jobs. I have to count myself as rather fortunate for the experiences I have had along the way. They really went a long way to teach me some valuable lessons. Also, in some cases, they taught me how to hold my tongue.

In one such job years ago, I was working on implementing a company wide vulnerability scanning platform. As you might imagine, especially if you have done this sort of project before, there was some land mines I had to contend with in due course.

At this particular job there were all sorts of different business units who acted as individual fiefdoms and had little interest in having their system scanned by anyone. “We have a firewall, we’re fine” one team lead had grouched at me. “We have detection capabilities and we’ll know if you scan our systems."

The long sorted list of companies that have had their payment systems has added a new victim to it’s ranks. This past Friday the upscale Hutton Hotel, a stones throw from Vanderbilt University in Nashville, disclosed that their payment processing systems in their hotel had been compromised by ne’er do wells.

I think we have arrived at the point where companies that have payment systems that have not been reviewed should assume that they’re compromised until proven otherwise. A dour assessment of things. But, when you consider that companies like Hard Rock, Target and even Trump Hotels (twice) suffered similar compromises it really leads one to assume that this is an activity required for any information security team. If you are responsible for a payment

Ransomware has become all the rage in the security field these days. Both from the perspective of the writers and the defenders. The media is lousy with these articles and I’m apparently not above writing about it myself. This has been grabbing the headlines in a big way simply because of the insidious nature of it.

This is a problem that won’t go away anytime soon as there is a significant revenue potential here for the criminals that leverage this sort of software. Think of the reduced risk level and the amount of the reward. The risk for a criminal to walk in to a bank with a gun and a sack with a dollar sign on the side are not trifling. There are all sorts of variables to take into account.

There have been times in my career where I found it almost necessary for me to breathe into a paper bag after hearing some asinine positions on what security should be. I have encountered what I like to refer as the “flaming sword of justice” far too often over the years. There are security practitioners who have a rather fractured view of our place in the corporate food chain.

There was a huge push by security folks years ago, less so now, that wanted to have the ability to fire people for the most trivial infractions. This attempt to grasp for what they perceived as power was a disturbing trend that I saw play out several times in particular.

In August of 2003 it was just after 4 pm and I was leaving a vendor event where I was watching a professional tennis match. I was looking forward to the weekend ahead with a light Friday on the schedule. I could not have known how wrong I was and then my cell phone began to ring. My boss was on the phone. The street lights ahead of me had gone out. That wasn’t the harbinger that in retrospect it should have been.

Boss: “Get in to the office. The power has gone out."

Me: "For the office?"

Boss: “Worse"

Me: “Toronto?"

Boss: “Worse"

Me: “Ontario?”

Boss: “All of it"

The phone then went dead and with it the northeastern part of North America went dark. The lights out. It would be a good seven hours before any lights would come back on again.

When I was in the trenches as a defender I saw all manner of malicious software. The first one I ever encountered back in the late 80s was the Stoned virus. This was a simple program that was lobbying the infected computer operator on the subject of legalizing marijuana. It was spread through the use of infected floppy disks.

Years later I found myself standing in the office of one senior staff member when he received an email from a student. He also moonlighted as a university professor. The student professed her love for him and he was moved by the moment and clicked open the email. I lurched forward in a vain attempt to stop him but, the damage was already done.

There will be times in your career when you know that you will face a crisis. These will be times when things will go horribly and irretrievably wrong. The breach news from Yahoo yesterday is a perfect example. One question that I ask folks over and over again is, “What’s your incident response plan and have you tested it?” This will usually illicit a wide variety of responses. Seldom are they 100% positive but, better than I could have hoped for in many cases.

Then I ask the question that I never get a good answer for, “What is your crisis communication plan?” This has almost uniformly been met with glazed eye balls and slack jaws. I’ve wondered why crisis communication is treated like the red-headed step child of the incident response plan.

The University of Ottawa has found itself the subject of an investigation regarding a potential data breach. According to news reports, the information of some 900 students may have been exposed when an external hard drive went missing.

This involved the personal information of people with disabilities and mental health issues. Um, so that’s really bad. I’m having a hard time with this, as I do with so many data breaches. At first blush it appears that the information was not encrypted.

Now, it doesn’t spell that out in the report on CBC. But, if this information was contained on an encrypted drive I wouldn’t think that there would be breach notification letters being sent out and having the Ottawa police involved.

When I was a kid I was always flirting with the edge of trouble. I was really fortunate that I had strong guidance and good friends that helped to keep me from getting into any real sort of trouble. But, not everyone was so lucky. But, for a lot people that I knew who got themselves into trouble their misdeeds vanished into the mists of time.

There was no social media, no websites and well, no Internet. Hindsight being what it is I’m very happy that I was born when I was and avoided the complications of the modern world. Take for example the famous story of Kevin Colvin who was an intern at Anglo Irish Bank. In 2007 he told his manager that he had miss work due to an apparent family emergency. This came apart when Colvin posted pictures of himself at a Halloween party which he was attending when he was allegedly dealing with family matters.

Every company I had worked for in the past was another piece in my continuing education. Along the way there have been some lessons that were recurring. One of the main ones was around backups. Time and again I would encounter the most curious backup…um, strategies.

At one company in particular I made the mistake of asking what we were doing for backups on the core production systems. I was met with confused looks and the response that any server could be rebuilt by reinstalling the operating system. I asked about the database and was met with a glazed over look.

This was a shop that had absolutely no backup plan whatsoever. When I dug a little deeper I discovered that only some systems were being backed up at all. And none of those backup tapes were ever tested. No one knew if the tapes would even recover a single iota of data. But, the rationale was that the systems were being backed up and thus, compliant.

There is really no denying it. The Russians are still upset about the decision to ban their athletes from performing in the Olympics this year in Rio. The part that still causes me to scratch my head is that they cheated and they got caught. Full stop. There really isn’t a discussion to be had beyond that. They were caught with their hand in the medical cupboard.

The world anti-doping agency or WADA had their systems compromised and health data pertaining to athletes who participated in this years games was published to a website controlled by an apparent Russian based attack group.